Scribd Logo
Upload

Welcome to Scribd!

  • FSSO Based Authentication

    Uploaded by

    Kalaivanisubramanian
    375 views23 pages
    This document summarizes Fortinet Single Sign-On (FSSO) authentication. FSSO allows users to automatically log into network resources after initial identification without additional logins. It works by having FSSO agents identify user IP addresses and group memberships during directory service logins, then sending this information to Fortigates. The document describes different directory service and agent modes, including Active Directory domain controller and collector agent configurations, and Novell eDirectory. It also covers NTLM fallback and FSSO timer settings.

    Original Description:

    Fortigate single sign on

    Original Title

    FSSO

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes Fortinet Single Sign-On (FSSO) authentication. FSSO allows users to automatically log into network resources after initial identification without additional logins. It works by having FSSO agents identify user IP addresses and group memberships during directory service logins, then sending this information to Fortigates. The document describes different directory service and agent modes, including Active Directory domain controller and collector agent configurations, and Novell eDirectory. It also covers NTLM fallback and FSSO timer settings.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    375 views23 pages

    FSSO Based Authentication

    Uploaded by

    Kalaivanisubramanian
    This document summarizes Fortinet Single Sign-On (FSSO) authentication. FSSO allows users to automatically log into network resources after initial identification without additional logins. It works by having FSSO agents identify user IP addresses and group memberships during directory service logins, then sending this information to Fortigates. The document describes different directory service and agent modes, including Active Directory domain controller and collector agent configurations, and Novell eDirectory. It also covers NTLM fallback and FSSO timer settings.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 23

    FSSO based Authentication

    Fortinet Single-Sign On [FSSO]


     It’s a Passive authentication
     Users don’t need to logon each time they
    access a different network resource
    i.e. it allows users to be automatically logged into every application
    afterr being identified, regardless of the platform, technology and
    domain
     FSSO software identifies users source IP
    address
     When user logs into Directory service the
    FSSO agent sends to Fortigate the users IP
    address and the name of the user groups to
    which the user belongs to
    Directory Service Type
     MicroSoft Active Directory
    --Domain Controller Agent mode
    --Polling mode
    --Controller agent based
    --agent less
    --TS agent mode
    --for citrix and Terminal services
    --collector agent based
     Novell eDirectory
    --eDirectory agent mode
    --uses Novell API or LDAP setting
    DC Agent Mode
     Standard mode for FSSO
     One DC agent installed on each windows
    Domain Controller
     DC agents monitor and forwards user login
    events to the collector agent
     Handles DNS lookups
     Collector agent is another component installed
    on windows server
     One or more CA are installed in the windows
    server

    DC---UDP 8002---CA---TCP 8000---FGT


    Collector Agent Based Polling Mode
     Only CA installed on the windows server
     No DC agent installed
     Generates unnecessary traffic when there are no
    login events
     CA polls the Windows DC for user login events
    every few seconds
     Event logging must be enabled on the DC’s
     More CPU and memory is required by the CA
    Collector Agent based polling mode
    Flow
     User authenticates with DC
     CA fequently polls DC’s to get user logon
    events
     CA forwards logons to Fortigate
     Users need not authenticate

    DC---TCP 445---CA---TCP 8000---FGT


    CA polling mode options

     NetAPI--polls temporary sessions created on


    the DC when user logins or logouts every 9sec
    or less
     WinSec Log--polls all the security events on
    the DC every 10 sec or more
     WMI–a windows API that gets info from a
    windows server and the DC returns all the
    requested login events every 3 sec
    Agent Less polling mode
     Similar to agent based, but Fortigate does
    the polling
     Fortigate polls the DC’s directly, instead
    of receiving login info indirectly from CA
     Requires more system resources and it
    does not scale easily
     Less available features than collector
    agent based polling mode
    Agent Less polling mode Flow
     Fortigate frequently polls DC to get the
    user login events
     User authenticates with the DC
    --fortigate will discover the login event in
    the next poll
     Users do not need to authenticate as
    fortigate knows whose traffic that is
    DC---TCP 445---FGT
    NT LAN Manager [NTLM]
     FSSO can also work with NTLM
     Which is a suite of Microsoft Security protocols
    that provides authentication, integrity and
    confidentiality
     Many web browsers support NTLM
     Its useful when
    --users logged into DC’s not being monitored by
    the collector
    --communication blocked or down between the
    Collector and DC
     NTLM authentication is best used as a backup
    of FSSO
    NTLM Flow
     NTLM is triggered when FGT receives traffic
    from an unknown IP address
     Users attempt to access internet with the
    browser [whose IP is not in the active FSSO
    list]
     Fortigate requests the credentials
    [domain/username and password]
     Users browser sends the details to fortigate
     Fortigate validates the credentials and group
    membership with CA [TCP 8000]
     Access granted based on membership
    FSSO timers
     Workstation Verify interval
    --it verifies if the user still logged in
    --the status of the user changes to “Not Verified” if it cannot
    connect to workstation
    --default5min

     Dead entry Timeout interval


    --setting applies only to entities with an unverified status
    --is used to age out the entry
    --when timer expires, the entry is removed from the CA
    --default480min [8hrs]
    FSSO timers
     IP address change interval
    --checks the IP address of logged in users and updates the
    Fortigate when users IP address change
    --prevents users from being locked out if they change IP
    address
    --default60sec

     Cache users group


    --caches the user group membership for a defined period of
    time
    AD Access Mode Config
     Standard access mode
    --Netbios modeUsername\password
    --UTM profile applied to only user group
    --nested group is not supported

     Advanced mode
    --LDAP convention cn=___, ou=___, dc=__
    --UTM profiles applied to both users and groups
    --supports nested groups
    Troubleshooting
     Info that needs to be collected on the PC

    ipconfig /all
    echo %logonserver%
    echo %username%
    net use
    time /T
    date /T
    Questions

    You might also like